Changed env parameters to be created in SSM and as a secret

Also added missing ones
Brexbot · Jan 2, 2024 · 7d15167 · 7d15167
1 parent a04511d
commit 7d15167
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 14 deletions.
diff --git a/terraform/ecs.tf b/terraform/ecs.tf
@@ -92,11 +92,26 @@ resource "aws_ecs_task_definition" "ecs_task_definition" {
           awslogs-stream-prefix : "twiggy"
         }
       },
-
-      environment : [
+      secrets : [
+        {
+          "name" : "DISCORD_TOKEN",
+          "valueFrom" : aws_ssm_parameter.ssm_parameter_discord_token.arn
+        },
+        {
+          "name" : "ITAD_TOKEN",
+          "valueFrom" : aws_ssm_parameter.ssm_parameter_itad_token.arn
+        },
+        {
+          "name" : "TWITCH_SECRET",
+          "valueFrom" : aws_ssm_parameter.ssm_parameter_twitch_secret.arn
+        },
+        {
+          "name" : "TWITCH_CLIENT_ID",
+          "valueFrom" : aws_ssm_parameter.ssm_parameter_twitch_client_id.arn
+        },
         {
-          name : "PRODUCTION"
-          value : "1"
+          "name" : "OPEN_WEATHER_TOKEN",
+          "valueFrom" : aws_ssm_parameter.ssm_parameter_open_weather_token.arn
         }
       ]
     }

diff --git a/terraform/iam.tf b/terraform/iam.tf
@@ -19,29 +19,29 @@ resource "aws_iam_role" "ecs_task_role" {
       ]
     })
   }
+}
+
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name               = "twiggy-ecs_task_execution_role"
+  path               = "/service-role/"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_ecs_tasks.json
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+  ]
   inline_policy {
     name = "systems-manager-parameter-store-access"
     policy = jsonencode({
       Statement : [
         {
           Effect : "Allow",
           Action : "ssm:GetParameter",
-          Resource : "arn:aws:ssm:eu-west-1:866826529066:discord-token"
+          Resource : "arn:aws:ssm:eu-west-1:866826529066:/twiggy/*"
         }
       ]
     })
   }
 }
 
-resource "aws_iam_role" "ecs_task_execution_role" {
-  name               = "twiggy-ecs_task_execution_role"
-  path               = "/service-role/"
-  assume_role_policy = data.aws_iam_policy_document.assume_role_policy_ecs_tasks.json
-  managed_policy_arns = [
-    "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
-  ]
-}
-
 resource "aws_iam_role" "lambda" {
   name               = "twiggy-lambda"
   assume_role_policy = data.aws_iam_policy_document.assume_role_policy_lambda.json

diff --git a/terraform/ssm.tf b/terraform/ssm.tf
@@ -0,0 +1,54 @@
+resource "aws_ssm_parameter" "ssm_parameter_discord_token" {
+  name  = "/twiggy/discord_token"
+  type  = "SecureString"
+  value = "TODO"
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}
+
+resource "aws_ssm_parameter" "ssm_parameter_itad_token" {
+  name  = "/twiggy/itad_token"
+  type  = "SecureString"
+  value = "TODO"
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}
+
+resource "aws_ssm_parameter" "ssm_parameter_twitch_secret" {
+  name  = "/twiggy/twitch_secret"
+  type  = "SecureString"
+  value = "TODO"
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}
+
+resource "aws_ssm_parameter" "ssm_parameter_twitch_client_id" {
+  name  = "/twiggy/twitch_client_id"
+  type  = "SecureString"
+  value = "TODO"
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}
+
+resource "aws_ssm_parameter" "ssm_parameter_open_weather_token" {
+  name  = "/twiggy/open_weather_token"
+  type  = "SecureString"
+  value = "TODO"
+  lifecycle {
+    ignore_changes = [
+      value
+    ]
+  }
+}